Implementasi SPF.
Anton Rahmadi @28 Januari 2009
versi 1.3 GPL


Sender Policy Framework
Open.ch, OpenSPF.org, IETF proposed standard
(catatan Postfix harus versi > 2.3.x)


Edit entri di DNS server / Hosting agar mendukung SPF

	namadomain.ac.id. TXT "v=spf1 a mx ptr ~all"
	subdomain.namadomain.ac.id. TXT "v=spf1 a mx ptr ~all"


Buat user spf

	groupadd spf
	useradd -d /var/mta -g spf spf


Buat direktori kerja

	mkdir /usr/local/spf
	mkdir /usr/local/{greylist,policyd,postgrey}


Instalasi modul-modul PERL yang dibutuhkan greylist

	perl -MCPAN -e'CPAN::Shell->install("DB_File")'
	perl -MCPAN -e'CPAN::Shell->install("Sys::Syslog")'


Instalasi greylist (last update: 22Jan2009)

	cd /usr/local/src/postfix-2.4.${sub.minor.version}
	cp examples/smtpd-policy/greylist.pl /usr/local/greylist/greylist.pl
	chmod 755 /usr/local/greylist/greylist.pl


Buat direktori database

	mkdir /var/mta
	touch /var/mta/greylist.db
	chown -R spf.spf /var/mta


Instalasi modul-modul PERL yang dibutuhkan policyd

	perl -MCPAN -e'CPAN::Shell->install("Mail::SPF")'
	perl -MCPAN -e'CPAN::Shell->install("NetAddr::IP")'


Instalasi policyd 2.007 (last update: 21Jan2009)

	cd /usr/local/src
	wget -c http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz
	tar -xzvf postfix-policyd-spf-perl-2.007.tar.gz
	cd postfix-policyd-spf-perl-2.007
	cp postfix-policyd-spf-perl /usr/local/spf/policyd/policyd-spf-perl
	chmod 755 /usr/local/spf/policyd/policyd-spf-perl


Instalasi modul-modul PERL yang dibutuhkan Postgrey

	perl -MCPAN -e'CPAN::Shell->install("Net::Server")'
	perl -MCPAN -e'CPAN::Shell->install("IO:Multiplex")'
	perl -MCPAN -e'CPAN::Shell->install("IO:Socket::INET")'
	perl -MCPAN -e'CPAN::Shell->install("BerkeleyDB")'
	perl -MCPAN -e'CPAN::Shell->install("Sys::Hostname")'
	perl -MCPAN -e'CPAN::Shell->install("Sys::Syslog")'
	perl -MCPAN -e'CPAN::Shell->install("Parse::Syslog")'
	perl -MCPAN -e'CPAN::Shell->install("Pod:Usage")'
	perl -MCPAN -e'CPAN::Shell->install("Getopt::Long")'
	perl -MCPAN -e'CPAN::Shell->install("Fcntl")'


Instalasi postgrey 1.32 (last update: 23Jan2009)

	cd /usr/local/src
	wget -c http://postgrey.schweikert.ch/pub/postgrey-1.32.tar.gz
	tar -xzvf postgrey-1.32.tar.gz
	cd postgrey-1.32
	cp postgrey /usr/local/spf/postgrey
	cp policy-test /usr/local/spf/postgrey
	chmod 755 /usr/local/spf/greylist/*
	cp postgrey_whitelist_recipients /etc/postfix/
	cp postgrey_whitelist_clients /etc/postfix/


Buat skrip /usr/local/spf/rc.postgrey

	#!/bin/bash
	#--- Generic Service Start/Stop Script
	#--- Anton Rahmadi @27Jan2009

	#--- Configuration 
	SERVICENAME=postgrey
	SERVICEFILE=/usr/local/spf/postgrey/postgrey  
	SERVICEPID=/var/run/postgrey.pid
	SERVICECONFIG="--user=greylist --group=greylist --inet=9999 --delay=50 --daemonize --auto-whitelist-clients=3 --dbdir=/var/mta --pidfile=$SERVICEPID"

	#--- Optional configuration
	SLEEPVALUE=2  #put higher number for slower CPU 

	#--- Non configurable 
	checkservice() {
		if [ ! -f "$SERVICEFILE" ]; then
		 echo "$SERVICEFILE: 	NOT FOUND"
		 exit 0
		fi
	}

	startservice() {
		if [ -e "$SERVICEPID" ]; then
		echo "$SERVICENAME:		ALREADY STARTED"
		exit 0
		else
		$SERVICEFILE $SERVICECONFIG
		fi	
	}

	stopservice() {
		if [ -e "$SERVICEPID" ]; then
		kill `cat $SERVICEPID` 
		rm -f $SERVICEPID
		else
		echo "$SERVICENAME:		ALREADY STOP"
		exit 0
		fi
	}

	checkstatus() {
		if [ -e "$SERVICEPID" ]; then
		    echo "$SERVICENAME:		STARTED"
		else
		    echo "$SERVICENAME:		STOP"
		fi
	}

	checkservice
	case "$1" in
		'start')
		startservice	
		sleep $SLEEPVALUE
		    checkstatus
		;;
		'stop')
		stopservice
		checkstatus
		;;
		'restart')
		$0 stop
		$0 start
		;;
		'status')
		checkstatus	
		;;
		*)
		echo "Usage $0 {start|stop|restart|status}"
		;;
	esac


Buat skrip /usr/local/spf/rc.postgrey agar dapat dieksekusi

	chmod 755 /usr/local/spf/rc.postgrey


Backup /etc/postfix/master.cf dan /etc/postfix/main.cf

	cd /etc/postfix
	cp master.cf master.cf.nospf
	cp main.cf main.cf.nospf


Tambahkan greylist,policyd,postgrey di /etc/postfix/master.cf

	cd /etc/postfix
	vi master.cf

	---------------------tambahan isi master.cf----------------------
	# begin ---- spf implementation, ARahmadi @20Jan2009
	#greylist
	127.0.0.1:9997  inet  -       n       n       -       -      spawn
	   user=greylist argv=/usr/bin/perl /usr/local/spf/greylist/greylist.pl
	#policyd
	127.0.0.1:9998  inet  -       n       n       -       -      spawn
	   user=greylist argv=/usr/bin/perl /usr/local/spf/policyd/policyd-spf-perl
	# end ---- spf implementation
	[Esc][Shift-ZZ]
	---------------------tambahan isi master.cf----------------------


Ubah konfigurasi di /etc/postfix/main.cf

	cd /etc/postfix
	vi main.cf

	---------------------perubahan isi main.cf----------------------
	127.0.0.1:9997_time_limit = 3600
	127.0.0.1:9998_time_limit = 3600
	restriction_classes = greylist
	greylist = 
		check_policy_service inet:27.0.0.1:9997
		reject_unauth_destination,
		reject_unverified_sender

	smtpd_recipient_restrictions =
		reject_unauth_pipelining,
		reject_non_fqdn_sender,
		reject_non_fqdn_recipient,
		reject_unknown_sender_domain,
		reject_unknown_recipient_domain,
		permit_mynetworks,
		permit_sasl_authenticated,
		reject_unverified_recipient,
		reject_unverified_sender,
		reject_invalid_hostname,
		reject_multi_recipient_bounce,
		reject_unauth_destination,
		#---greylist
		check_policy_service inet:127.0.0.1:9997,
		#---policyd
		check_policy_service inet:127.0.0.1:9998,
		#---postgrey
		check_policy_service inet:127.0.0.1:9999,
		permit
	[Esc][Shift-ZZ]
	---------------------perubahan isi main.cf----------------------


Menambahkan aturan di /etc/postfix/sender_access

	cd /etc/postfix
	vi sender_access

	------------------perubahan isi sender_access-------------------
	yahoo.com	greylist
	ymail.com	greylist
	rocketmail.com	greylist
	aol.com		greylist
	hotmail.com	greylist
	bigfoot.com	greylist
	gmail.com	greylist
	[Esc][Shift-ZZ]
	------------------perubahan isi sender_access-------------------
	postmap /etc/postfix/sender_access


Reload Postfix

	postfix reload


Melihat keaktifan spf

	netstat -plan | grep tcp | grep 999
	tcp        0      0 127.0.0.1:9997         0.0.0.0:*               LISTEN     30205/master   
	tcp        0      0 127.0.0.1:9998         0.0.0.0:*               LISTEN     30210/master  
	tcp        0      0 127.0.0.1:9999         0.0.0.0:*               LISTEN     30215/perl  


Coba mengirim email dan amati lognya


Apabila gagal, edit kembali main.cf, berikan tanda # didepan check_policy_service inet:127.0.0.1:9997

	cd /etc/postfix
	vi main.cf

	---------------------perubahan isi main.cf----------------------
	smtpd_recipient_restrictions =
		...
		    reject_unauth_destination,
		#---greylist
		check_policy_service inet:127.0.0.1:9997,
		#---policyd
		check_policy_service inet:127.0.0.1:9998,
		#---postgrey
		check_policy_service inet:127.0.0.1:9999,
		...
	[Esc][Shift-ZZ]
	---------------------perubahan isi main.cf----------------------


Reload postfix

	postfix reload


Ulangi langkah-langkah di atas, sampai kesalahannya ditemukan.
